ACK: [SRU][PATCH 1/1] ext4: zero out the unused memory region in the extent tree block
Connor Kuehl
connor.kuehl at canonical.com
Tue Jun 4 16:13:38 UTC 2019
On 6/3/19 11:08 PM, Khalid Elmously wrote:
> From: Sriram Rajagopalan <sriramr at arista.com>
>
> CVE-2019-11833
>
> This commit zeroes out the unused memory region in the buffer_head
> corresponding to the extent metablock after writing the extent header
> and the corresponding extent node entries.
>
> This is done to prevent random uninitialized data from getting into
> the filesystem when the extent block is synced.
>
> This fixes CVE-2019-11833.
>
> Signed-off-by: Sriram Rajagopalan <sriramr at arista.com>
> Signed-off-by: Theodore Ts'o <tytso at mit.edu>
> Cc: stable at kernel.org
> (cherry picked from commit 592acbf16821288ecdc4192c47e3774a4c48bb64)
> Signed-off-by: Khalid Elmously <khalid.elmously at canonical.com>
Acked-by: Connor Kuehl <connor.kuehl at canonical.com>
> ---
> fs/ext4/extents.c | 17 +++++++++++++++--
> 1 file changed, 15 insertions(+), 2 deletions(-)
>
> diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c
> index 5592b7726241..01f44364c547 100644
> --- a/fs/ext4/extents.c
> +++ b/fs/ext4/extents.c
> @@ -1047,6 +1047,7 @@ static int ext4_ext_split(handle_t *handle, struct inode *inode,
> __le32 border;
> ext4_fsblk_t *ablocks = NULL; /* array of allocated blocks */
> int err = 0;
> + size_t ext_size = 0;
>
> /* make decision: where to split? */
> /* FIXME: now decision is simplest: at current extent */
> @@ -1138,6 +1139,10 @@ static int ext4_ext_split(handle_t *handle, struct inode *inode,
> le16_add_cpu(&neh->eh_entries, m);
> }
>
> + /* zero out unused area in the extent block */
> + ext_size = sizeof(struct ext4_extent_header) +
> + sizeof(struct ext4_extent) * le16_to_cpu(neh->eh_entries);
> + memset(bh->b_data + ext_size, 0, inode->i_sb->s_blocksize - ext_size);
> ext4_extent_block_csum_set(inode, neh);
> set_buffer_uptodate(bh);
> unlock_buffer(bh);
> @@ -1217,6 +1222,11 @@ static int ext4_ext_split(handle_t *handle, struct inode *inode,
> sizeof(struct ext4_extent_idx) * m);
> le16_add_cpu(&neh->eh_entries, m);
> }
> + /* zero out unused area in the extent block */
> + ext_size = sizeof(struct ext4_extent_header) +
> + (sizeof(struct ext4_extent) * le16_to_cpu(neh->eh_entries));
> + memset(bh->b_data + ext_size, 0,
> + inode->i_sb->s_blocksize - ext_size);
> ext4_extent_block_csum_set(inode, neh);
> set_buffer_uptodate(bh);
> unlock_buffer(bh);
> @@ -1282,6 +1292,7 @@ static int ext4_ext_grow_indepth(handle_t *handle, struct inode *inode,
> ext4_fsblk_t newblock, goal = 0;
> struct ext4_super_block *es = EXT4_SB(inode->i_sb)->s_es;
> int err = 0;
> + size_t ext_size = 0;
>
> /* Try to prepend new index to old one */
> if (ext_depth(inode))
> @@ -1307,9 +1318,11 @@ static int ext4_ext_grow_indepth(handle_t *handle, struct inode *inode,
> goto out;
> }
>
> + ext_size = sizeof(EXT4_I(inode)->i_data);
> /* move top-level index/leaf into new block */
> - memmove(bh->b_data, EXT4_I(inode)->i_data,
> - sizeof(EXT4_I(inode)->i_data));
> + memmove(bh->b_data, EXT4_I(inode)->i_data, ext_size);
> + /* zero out unused area in the extent block */
> + memset(bh->b_data + ext_size, 0, inode->i_sb->s_blocksize - ext_size);
>
> /* set size of new block */
> neh = ext_block_hdr(bh);
>
--
Connor
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pEpkey.asc
Type: application/pgp-keys
Size: 5950 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20190604/8145d202/attachment.key>
More information about the kernel-team
mailing list